# CMMC Assessment Scoping > Define CMMC assessment scope, authorization boundary, and network architecture for Level 1 or Level 2. Documents in-scope assets and network diagram narrative for the SSP. Tags: CMMC, NIST, DoD, Compliance, Scoping ## Example Prompts - Define our CMMC Level 2 assessment boundary and in-scope components - Draft the network diagram narrative for our CMMC scope - Document which assets are in scope for our CMMC assessment URL: https://rakenne.app/skills/cmmc-scoping/index.md Try this skill: https://rakenne.app/a/?skill=cmmc-scoping ## Overview Define CMMC assessment scope, authorization boundary, and network architecture for Level 1 or Level 2. Documents in-scope assets and network diagram narrative for the SSP. ## Getting Started Add your source materials to the project workspace, then activate the *CMMC Assessment Scoping* skill. The agent will guide you through the process step by step. ## Example Conversation > **You:** We're going for CMMC Level 2 and need to document our assessment scope and network diagram. Our CUI lives in our internal file share and in a cloud app we use for contract management. > > **Agent:** I'll help you define the CMMC boundary and in-scope assets. For Level 2 we need: (1) CUI assets — systems that process, store, or transmit CUI; (2) security protection assets — systems that protect CUI (e.g. firewalls, IAM, logging); (3) contractor risk-managed assets if you're including any by choice. I'll load the scoping guide and draft a boundary description. Do you have a network diagram we can reference, or should I describe the architecture from your description? > > **You:** We have a simple diagram — corporate LAN, DMZ with the contract app, and the file server on the internal segment. No separate test environment with CUI. > > **Agent:** I've drafted `cmmc-scope.md` with: (1) Authorization boundary — corporate LAN (internal segment + DMZ), including the contract management app, file server, domain controllers, and boundary firewall; (2) In-scope asset types — CUI assets: file server (FS-01), contract management app (CloudApp); security protection: firewall (FW-01), domain controllers (DC-01, DC-02), SIEM collector; (3) Network diagram narrative describing segments, data flow for CUI (user → file share, user → contract app), and interconnections. Out of scope: guest Wi‑Fi, test lab (no CUI). You can feed this into the SSP and asset inventory skills next. ## Sample Output Excerpt Below is a representative excerpt from a CMMC scoping document. --- ### Authorization Boundary The CMMC Level 2 assessment boundary includes all systems that process, store, or transmit CUI or that provide security protection for those systems. **In scope:** - **Internal segment:** File server FS-01 (CUI file share), domain controllers DC-01 and DC-02 (authentication, group policy), workstations used to access CUI. - **DMZ:** Contract management application (SaaS proxy / on-prem component) — CUI processed here; boundary firewall FW-01. - **Security protection:** FW-01 (boundary protection), DC-01/DC-02 (identification and authentication), SIEM collector (audit logging). **Out of scope:** Guest Wi‑Fi network; development/test environment (no CUI); building access control system (no CUI processing). ### Network Diagram Narrative Data flows for CUI: (1) User workstations → FS-01 (SMB) for file share access; (2) User workstations → FW-01 → Contract management app (HTTPS) for contract data. All CUI traffic remains within the boundary or to the designated cloud app. Internal clocks synchronized via NTP to DC-01. --- Back to [Skill Library](https://rakenne.app/skills/index.md)